https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Tue, 23 Jun 2026 23:43:40 +0000 https://vulnerability.circl.lu/sighting/93e71405-2399-4b22-903e-93a38110802b/export {"uuid": "93e71405-2399-4b22-903e-93a38110802b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46705", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mnxsulhtsc2f", "content": "CVE-2026-46705 - russh server userauth state is not reset when authentication principal changes\nCVE ID : CVE-2026-46705\n \n Published : June 10, 2026, 8:21 p.m. | 56\u00a0minutes ago\n \n Description : Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to befo...", "creation_timestamp": "2026-06-10T23:00:19.086401Z"} {"uuid": "93e71405-2399-4b22-903e-93a38110802b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46705", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mnxsulhtsc2f", "content": "CVE-2026-46705 - russh server userauth state is not reset when authentication principal changes\nCVE ID : CVE-2026-46705\n \n Published : June 10, 2026, 8:21 p.m. | 56\u00a0minutes ago\n \n Description : Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to befo...", "creation_timestamp": "2026-06-10T23:00:19.086401Z"} https://vulnerability.circl.lu/sighting/93e71405-2399-4b22-903e-93a38110802b/export Wed, 10 Jun 2026 23:00:19 +0000 https://vulnerability.circl.lu/sighting/f1f34b64-67df-4272-a2b4-cade075d8dfb/export {"uuid": "f1f34b64-67df-4272-a2b4-cade075d8dfb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46703", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mnxzmkp6552n", "content": "\ud83d\udd34 CVE-2026-46703 - Critical (9.6)\n\nBoxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-46703/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-06-11T01:01:07.026549Z"} {"uuid": "f1f34b64-67df-4272-a2b4-cade075d8dfb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46703", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mnxzmkp6552n", "content": "\ud83d\udd34 CVE-2026-46703 - Critical (9.6)\n\nBoxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-46703/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-06-11T01:01:07.026549Z"} https://vulnerability.circl.lu/sighting/f1f34b64-67df-4272-a2b4-cade075d8dfb/export Thu, 11 Jun 2026 01:01:07 +0000 https://vulnerability.circl.lu/sighting/2c8e4d34-3b8b-4a2d-9af6-c801e9fa062c/export {"uuid": "2c8e4d34-3b8b-4a2d-9af6-c801e9fa062c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-46703", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mny3azh3772f", "content": "Boxlite (<0.9.0) CRITICAL flaw: attackers can write files anywhere on host via crafted OCI images \u2014 possible RCE risk. Upgrade to 0.9.0+ ASAP! https://radar.offseq.com/threat/cve-2026-46703-cwe-22-improper-limitation-of-a-pat-fb9f1664 #OffSeq #CVE202646703 #ContainerSecurity", "creation_timestamp": "2026-06-11T01:30:26.869189Z"} {"uuid": "2c8e4d34-3b8b-4a2d-9af6-c801e9fa062c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-46703", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mny3azh3772f", "content": "Boxlite (<0.9.0) CRITICAL flaw: attackers can write files anywhere on host via crafted OCI images \u2014 possible RCE risk. Upgrade to 0.9.0+ ASAP! https://radar.offseq.com/threat/cve-2026-46703-cwe-22-improper-limitation-of-a-pat-fb9f1664 #OffSeq #CVE202646703 #ContainerSecurity", "creation_timestamp": "2026-06-11T01:30:26.869189Z"} https://vulnerability.circl.lu/sighting/2c8e4d34-3b8b-4a2d-9af6-c801e9fa062c/export Thu, 11 Jun 2026 01:30:26 +0000 https://vulnerability.circl.lu/sighting/5983badb-1e5e-40c8-83d9-18e2b376883c/export {"uuid": "5983badb-1e5e-40c8-83d9-18e2b376883c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46702", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mnyac7hyk22n", "content": "\ud83d\udfe0 CVE-2026-46702 - High (7.5)\n\nRussh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when S...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-46702/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-06-11T03:00:36.322105Z"} {"uuid": "5983badb-1e5e-40c8-83d9-18e2b376883c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46702", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mnyac7hyk22n", "content": "\ud83d\udfe0 CVE-2026-46702 - High (7.5)\n\nRussh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when S...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-46702/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-06-11T03:00:36.322105Z"} https://vulnerability.circl.lu/sighting/5983badb-1e5e-40c8-83d9-18e2b376883c/export Thu, 11 Jun 2026 03:00:36 +0000 https://vulnerability.circl.lu/sighting/1e4e4167-2734-4f0c-af23-6dadb2636cef/export {"uuid": "1e4e4167-2734-4f0c-af23-6dadb2636cef", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46703", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mnybrfpang2d", "content": "CVE-2026-46703 - BoxLite: Path Traversal Vulnerability in boxlite Leads to Arbitrary File Write on the Host\nCVE ID : CVE-2026-46703\n \n Published : June 10, 2026, 11:16 p.m. | 2\u00a0hours, 48\u00a0minutes ago\n \n Description : Boxlite is a sandbox service that allows users to create ligh...", "creation_timestamp": "2026-06-11T03:26:58.561704Z"} {"uuid": "1e4e4167-2734-4f0c-af23-6dadb2636cef", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46703", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mnybrfpang2d", "content": "CVE-2026-46703 - BoxLite: Path Traversal Vulnerability in boxlite Leads to Arbitrary File Write on the Host\nCVE ID : CVE-2026-46703\n \n Published : June 10, 2026, 11:16 p.m. | 2\u00a0hours, 48\u00a0minutes ago\n \n Description : Boxlite is a sandbox service that allows users to create ligh...", "creation_timestamp": "2026-06-11T03:26:58.561704Z"} https://vulnerability.circl.lu/sighting/1e4e4167-2734-4f0c-af23-6dadb2636cef/export Thu, 11 Jun 2026 03:26:58 +0000 https://vulnerability.circl.lu/sighting/3114f2f7-b9ee-4f1c-b85c-7149b86dbf2b/export {"uuid": "3114f2f7-b9ee-4f1c-b85c-7149b86dbf2b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-46703", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116728884364901430", "content": "\ud83d\udea8 CRITICAL vuln in boxlite-ai Boxlite (<0.9.0): Malicious OCI images can exploit CWE-22 path traversal to write files anywhere on the host, leading to potential RCE. Upgrade to v0.9.0 ASAP. CVE-2026-46703. https://radar.offseq.com/threat/cve-2026-46703-cwe-22-improper-limitation-of-a-pat-fb9f1664 #OffSeq #CVE202646703 #ContainerSecurity", "creation_timestamp": "2026-06-11T07:04:43.279040Z"} {"uuid": "3114f2f7-b9ee-4f1c-b85c-7149b86dbf2b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-46703", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116728884364901430", "content": "\ud83d\udea8 CRITICAL vuln in boxlite-ai Boxlite (<0.9.0): Malicious OCI images can exploit CWE-22 path traversal to write files anywhere on the host, leading to potential RCE. Upgrade to v0.9.0 ASAP. CVE-2026-46703. https://radar.offseq.com/threat/cve-2026-46703-cwe-22-improper-limitation-of-a-pat-fb9f1664 #OffSeq #CVE202646703 #ContainerSecurity", "creation_timestamp": "2026-06-11T07:04:43.279040Z"} https://vulnerability.circl.lu/sighting/3114f2f7-b9ee-4f1c-b85c-7149b86dbf2b/export Thu, 11 Jun 2026 07:04:43 +0000 https://vulnerability.circl.lu/sighting/0a55ab89-15af-4671-b931-cd7392bf3096/export {"uuid": "0a55ab89-15af-4671-b931-cd7392bf3096", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-46700", "type": "published-proof-of-concept", "source": "https://github.com/actualbudget/actual/security/advisories/GHSA-3f62-qv96-4p78", "content": "", "creation_timestamp": "2026-06-12T20:16:43.000000Z"} {"uuid": "0a55ab89-15af-4671-b931-cd7392bf3096", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-46700", "type": "published-proof-of-concept", "source": "https://github.com/actualbudget/actual/security/advisories/GHSA-3f62-qv96-4p78", "content": "", "creation_timestamp": "2026-06-12T20:16:43.000000Z"} https://vulnerability.circl.lu/sighting/0a55ab89-15af-4671-b931-cd7392bf3096/export Fri, 12 Jun 2026 20:16:43 +0000 https://vulnerability.circl.lu/sighting/79e0dcbd-f506-4aa5-88b5-0ea60d01cb52/export {"uuid": "79e0dcbd-f506-4aa5-88b5-0ea60d01cb52", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46703", "type": "seen", "source": "https://bsky.app/profile/attrition.org/post/3mog7m2jsis2z", "content": "@f5labs.bsky.social re: www.f5.com/labs/article... Are you using \"AI\" to do these? e.g. \"Threat Details and IOCs\" and \"CVE-2026-35273, CVE-2026-46695, CVE-2026-46703, CVE-2026-48558, CVE-2026-50545\" has nothing to do with the section above, and those CVEs are largely not for the software listed.", "creation_timestamp": "2026-06-16T16:25:31.310868Z"} {"uuid": "79e0dcbd-f506-4aa5-88b5-0ea60d01cb52", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46703", "type": "seen", "source": "https://bsky.app/profile/attrition.org/post/3mog7m2jsis2z", "content": "@f5labs.bsky.social re: www.f5.com/labs/article... Are you using \"AI\" to do these? e.g. \"Threat Details and IOCs\" and \"CVE-2026-35273, CVE-2026-46695, CVE-2026-46703, CVE-2026-48558, CVE-2026-50545\" has nothing to do with the section above, and those CVEs are largely not for the software listed.", "creation_timestamp": "2026-06-16T16:25:31.310868Z"} https://vulnerability.circl.lu/sighting/79e0dcbd-f506-4aa5-88b5-0ea60d01cb52/export Tue, 16 Jun 2026 16:25:31 +0000 https://vulnerability.circl.lu/sighting/231b1456-7159-4fa2-8971-f7ac97cea204/export {"uuid": "231b1456-7159-4fa2-8971-f7ac97cea204", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46701", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mojevvheah2c", "content": "CVE-2026-48814 - Network-AI: Empty default secret still authorizes all requests (Incomplete fix for CVE-2026-46701)\nCVE ID : CVE-2026-48814\n \n Published : June 17, 2026, 7:42 p.m. | 2\u00a0hours ago\n \n Description : Network-AI is a TypeScript/Node.js multi-agent orchestrator. In ve...", "creation_timestamp": "2026-06-17T22:38:26.278750Z"} {"uuid": "231b1456-7159-4fa2-8971-f7ac97cea204", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46701", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mojevvheah2c", "content": "CVE-2026-48814 - Network-AI: Empty default secret still authorizes all requests (Incomplete fix for CVE-2026-46701)\nCVE ID : CVE-2026-48814\n \n Published : June 17, 2026, 7:42 p.m. | 2\u00a0hours ago\n \n Description : Network-AI is a TypeScript/Node.js multi-agent orchestrator. In ve...", "creation_timestamp": "2026-06-17T22:38:26.278750Z"} https://vulnerability.circl.lu/sighting/231b1456-7159-4fa2-8971-f7ac97cea204/export Wed, 17 Jun 2026 22:38:26 +0000 https://vulnerability.circl.lu/sighting/dd2de708-f0fa-415f-bc37-c64436c879a0/export {"uuid": "dd2de708-f0fa-415f-bc37-c64436c879a0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46701", "type": "seen", "source": "https://gist.github.com/alon710/95012eaaac31573d3f20cff3cfbc3e84", "content": "# CVE-2026-48814: CVE-2026-48814: Missing Authentication for Critical Orchestration Tools in Network-AI McpSseServer\n\n> **CVSS Score:** 9.1\n> **Published:** 2026-06-19\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48814\n\n## Summary\nCVE-2026-48814 is a critical vulnerability classified as Missing Authentication for Critical Function (CWE-306) in Network-AI, a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the Model Context Protocol (MCP) Server-Sent Events (SSE) server allows unauthenticated, cross-origin invocation of sensitive orchestration tools. This vulnerability stems from an incomplete fix for CVE-2026-46701, where library-level server class initializations still default to an insecure empty-secret configuration, allowing remote attackers or Server-Side Request Forgery (SSRF) agents to execute administrative tools.\n\n## TL;DR\nThe Network-AI library (versions <= 5.7.1) features an insecure default configuration in its MCP Server-Sent Events server component. If initialized without a secret, it permits unauthenticated remote callers to invoke any of its 22 critical orchestration tools, potentially leading to unauthorized data exposure, state mutation, and arbitrary agent spawning.\n\n## Technical Details\n\n- **CWE ID**: CWE-306 (Missing Authentication for Critical Function)\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 9.1 (Critical)\n- **EPSS Score**: 0.00297 (~0.30% probability)\n- **Impact**: High Confidentiality, High Integrity, No Availability\n- **Exploit Status**: None (No public weaponized exploit available)\n- **KEV Status**: Not listed in CISA KEV Catalog\n\n## Affected Systems\n\n- Network-AI library environments implementing custom McpSseServer integrations\n- Node.js multi-agent orchestration backends running network-ai versions <= 5.7.1\n- **network-ai**: <= 5.7.1 (Fixed in: `5.7.2`)\n\n## Mitigation\n\n- Upgrade the network-ai dependency to version 5.7.2 or later.\n- Instantiate the McpSseServer class with a non-empty, cryptographically secure secret.\n- Restrict binding configurations to loopback addresses (127.0.0.1, localhost) instead of binding to 0.0.0.0.\n- Utilize local standard input/output (McpStdioTransport) transport channels where network binding is not strictly required.\n\n**Remediation Steps:**\n1. Run 'npm install network-ai@5.7.2' to update the library to the patched version.\n2. Audit custom integration files importing 'McpSseServer' from 'network-ai' and ensure a strong secret is passed during initialization.\n3. Ensure the server initialization code does not fail open when environment variables are missing.\n\n## References\n\n- [GitHub Security Advisory Record](https://github.com/Jovancoding/Network-AI/security/advisories/GHSA-r78r-rwrf-rjwp)\n- [GitHub Release Log v5.7.2](https://github.com/Jovancoding/Network-AI/releases/tag/v5.7.2)\n- [GitHub Advisory Database Mapping](https://github.com/advisories/GHSA-j3vx-cx2r-pvg8)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48814) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-19T14:11:51.000000Z"} {"uuid": "dd2de708-f0fa-415f-bc37-c64436c879a0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46701", "type": "seen", "source": "https://gist.github.com/alon710/95012eaaac31573d3f20cff3cfbc3e84", "content": "# CVE-2026-48814: CVE-2026-48814: Missing Authentication for Critical Orchestration Tools in Network-AI McpSseServer\n\n> **CVSS Score:** 9.1\n> **Published:** 2026-06-19\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48814\n\n## Summary\nCVE-2026-48814 is a critical vulnerability classified as Missing Authentication for Critical Function (CWE-306) in Network-AI, a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the Model Context Protocol (MCP) Server-Sent Events (SSE) server allows unauthenticated, cross-origin invocation of sensitive orchestration tools. This vulnerability stems from an incomplete fix for CVE-2026-46701, where library-level server class initializations still default to an insecure empty-secret configuration, allowing remote attackers or Server-Side Request Forgery (SSRF) agents to execute administrative tools.\n\n## TL;DR\nThe Network-AI library (versions <= 5.7.1) features an insecure default configuration in its MCP Server-Sent Events server component. If initialized without a secret, it permits unauthenticated remote callers to invoke any of its 22 critical orchestration tools, potentially leading to unauthorized data exposure, state mutation, and arbitrary agent spawning.\n\n## Technical Details\n\n- **CWE ID**: CWE-306 (Missing Authentication for Critical Function)\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 9.1 (Critical)\n- **EPSS Score**: 0.00297 (~0.30% probability)\n- **Impact**: High Confidentiality, High Integrity, No Availability\n- **Exploit Status**: None (No public weaponized exploit available)\n- **KEV Status**: Not listed in CISA KEV Catalog\n\n## Affected Systems\n\n- Network-AI library environments implementing custom McpSseServer integrations\n- Node.js multi-agent orchestration backends running network-ai versions <= 5.7.1\n- **network-ai**: <= 5.7.1 (Fixed in: `5.7.2`)\n\n## Mitigation\n\n- Upgrade the network-ai dependency to version 5.7.2 or later.\n- Instantiate the McpSseServer class with a non-empty, cryptographically secure secret.\n- Restrict binding configurations to loopback addresses (127.0.0.1, localhost) instead of binding to 0.0.0.0.\n- Utilize local standard input/output (McpStdioTransport) transport channels where network binding is not strictly required.\n\n**Remediation Steps:**\n1. Run 'npm install network-ai@5.7.2' to update the library to the patched version.\n2. Audit custom integration files importing 'McpSseServer' from 'network-ai' and ensure a strong secret is passed during initialization.\n3. Ensure the server initialization code does not fail open when environment variables are missing.\n\n## References\n\n- [GitHub Security Advisory Record](https://github.com/Jovancoding/Network-AI/security/advisories/GHSA-r78r-rwrf-rjwp)\n- [GitHub Release Log v5.7.2](https://github.com/Jovancoding/Network-AI/releases/tag/v5.7.2)\n- [GitHub Advisory Database Mapping](https://github.com/advisories/GHSA-j3vx-cx2r-pvg8)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48814) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-19T14:11:51.000000Z"} https://vulnerability.circl.lu/sighting/dd2de708-f0fa-415f-bc37-c64436c879a0/export Fri, 19 Jun 2026 14:11:51 +0000